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Abstract. We give a polynomial time Turing reduction from the 7 2 v / n- 
approximate closest vector problem on a lattice of dimension n to a 7- 
approximate oracle for the shortest vector problem. This is an improve- 
ment over a reduction by Kannan, which achieved 7 712 . 



1 Introduction 

A lattice is the set of all integer combinations of n linearly independent vectors 
bi, b2, . . . , b n in R m . These vectors are also referred to as a basis of the lattice. 
The successive minima Aj(L) (where i — 1, . . . ,n) for the lattice L are among 
the most fundamental parameters associated to a lattice. The value Aj(L) is 
defined as the smallest r such that a sphere of radius r centered around the 
origin contains at least i linearly independent lattice vectors. Lattices have been 
investigated by computer scientists for a few decades after the discovery of the 
LLL algorithm [14]. More recently, Ajtai [1] showed that lattice problems have a 
very desirable property for cryptography: they exhibit a worst-case to average- 
case reduction. 

We now describe some of the most fundamental and widely studied lattice 
problems. Given a lattice L, the 7-approximate shortest vector problem (7-SVP 
for short) is the problem of finding a non-zero lattice vector of length at most 
7A1QL). Let the minimum distance of a point t £ K m from the lattice L be 
denoted by d(t,L). Given a lattice L and a point t £ R m , the 7-approximate 
closest vector problem or 7-CVP for short is the problem of finding a v e L such 
that || v - t|| < 7d(t,L). 

Besides the search version just described, CVP and SVP also have a gap version. 
The problem GapCVP 7 (B,t) asks the distance of t from the lattice L(B) within 
a factor of 7, and GapSVP 7 (B) asks for Ai(B) within a factor of 7. This paper 
deals with the search version described above. 

The problems CVP and SVP are quite well studied. The Gap versions of the 
problems are arguably easier than their search counterparts. We know that CVP 
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and SVP can be solved exactly in deterministic 2°( n ) time [18,4]. In polynomial 
time they can be approximated within a factor of 2™( loglog ")/ log " using LLL 
[14] and subsequent improvements by Schnorr [21] and Micciancio et. al. [18] 
(for details, see the book by Micciancio and Goldwasser [9]). On the other hand, 
it is known that there exists c > 0, such that no polynomial time algorithm can 
approximate GapCVP and GapSVP within a factor of n c l ^g 10 ^™, unless P = NP or 
another unlikely scenario is true [7, 10]. The security of hardness of cryptosystems 
following Ajtai's seminal work [1] is based on the worst-case hardness of 0(n 2 )- 
GapSVP [20, 19, 15]. In the hardness area, CVP is much more understood than SVP. 
For example, as opposed to CVP, until now all known NP-hardness proofs for 
SVP [2, 17, 13, 10] are randomized. A way to prove deterministic hardness of SVP 
is to prove better reductions from CVP to SVP. This paper aims to study and 
improve the known relations between these two problems. 

A very related result is from Kannan [11], who gave a way to solve y^-CVP 
using an exact SVP oracle. A generalization of his reduction was used to solve 
CVP within a factor of (1 + e) by reducing it to sampling short vectors in the 
lattice [3]. The improvement from sjn to (1 + e) is achieved mainly because the 
reduction uses 2°( n > time instead of polynomial. It is also known that a 7-CVP 
oracle can be used to solve 7- SVP [8]. 

In a survey [12], Kannan gave a different reduction from 7 2 n2-CVP to 7- 
SVP. A few words of comparison between our methods and the method used by 
Kannan [12]. Kannan uses the dual lattice (denoted by B* = (B T ) _1 , where B T 
is the transpose of the matrix B) and the transference bound Ai(B)Ai(B*) < n 
to find a candidate close vector. Due to the fact that he applies the SVP oracle 
on both L as well as L*, he loses an additional factor of n. Our method does not 
use the dual lattice. 

Our contribution: We improve the result by Kannan [12], which shows that 
7 2 n 3 / 2 -CVP can be solved using an oracle to solve 7-SVP, and solve 7 2 - s /n-CVP 
using the same oracle. 

For this, we essentially combine the earlier result by Kannan [11] with a 
reduction by Lyubashevsky and Micciancio [15], as we explain now in some 
detail. 

Our starting point is the earlier reduction by Kannan, which solves -^/n-CVP 
using an exact SVP-oracle. In order to explain our ideas, we first shortly describe 
his reduction. Given a CVP-instancc B e Q mxn , t <G K m , Kannan uses the SVP- 

B t 

oracle to find Ai(B). He then creates the new basis B 



a 



where he picks 



a carefully somewhat smaller than Ai(B). Now, if d(t, B) is significantly smaller 

than Ai(B) (say, Ai(B)/3), then the shortest vector in B is * , where is 

the lattice vector closest to t (i.e., the vector we are trying to find). On the other 
hand if d(t, B) is larger than Ai(B)/3, then Kannan projects the instance in the 
direction orthogonal to the shortest vector of B. This reduces the dimension 
by 1, and an approximation in the resulting instance can be used to get an 



approximation in the original instance, because the projected approximation 
can be "lifted" to find some original lattice point which is not too far from t. 

We show that in case we only have an approximation oracle for SVP, we 
can argue as follows. First, if d(t,B) < Al 2 ^ , then we have an instance of a 
so called "Bounded Distance Decoding" problem. By a result of Lyubashevsky 
and Micciancio [15], this can be solved using the the oracle we assume. In case 
d(t, B) > Al 2 ^ we can recurse in the same way as Kannan does. The approxi- 
mation factor ^' 1 \pn comes from this case: lifting a projection after the recursion 
returns, incurs an error of roughly the half the length of the vector v which was 
used to project. Since this v can have length almost 7Ai(B), the length of v can 
be almost a factor larger than d(t, B). The squares of these errors then add 
up as in Kannan's reduction, which gives a total approximation factor of j 2 y^n. 

We remark that even though we do not know which of the two cases apply, 
we can simply run both, and then use the better result. 

Finally, we would like to mention that to the best of our knowledge there is 
no published proof that in Kannan's algorithm [11] the projected bases have a 
representation which is polynomial in the input size. We show that this is indeed 
the case. For this, it is essentially enough to use a lemma from [9] which states 
that the vectors in a Gram-Schmidt orthogonalization have this property. 

2 Preliminaries 
2.1 Notation 

A lattice basis is a set of linearly independent vectors bi, . . . ,b„ e M m . It is 
sometimes convenient to think of the basis as an n x m matrix B, whose n 
columns are the vectors bi, . . . ,b„. The lattice generated by the basis B will be 
written as L(B) and is defined as L(B) = {Bx|x e Z™}. The span of a basis B, 
denoted as span(B), is defined as {Bj/|y £ R"}. We will assume that the lattice 
is over rationals, i.e., bi, . . . ,b„ € Q m , and the entries are represented by the 
pair of numerator and denominator. An elementary vector v € L(B) is a vector 
which cannot be written as a non-trivial multiple of another lattice vector. 

A shortest vector of a lattice is a non-zero vector in the lattice whose li norm 
is minimal. The length of the shortest vector is Ai(B), where Ai is as defined in 
the introduction. For a vector t e M m , let d(t, L(B)) denote the distance of t to 
the closest lattice point in B. We use to denote a (fixed) closest vector to t 
in L(B). 

For two vectors u and v in R m , v| u denotes the component of v in the 
direction of u i.e., v| u = |„'"\ U- Also, the component of v in the direction 
orthogonal to u is denoted by vj_ u i.e., the vector v — v| u . 

Consider a lattice L(B) and a vector v € L(B) in the lattice. Then the 
projected lattice of L(B) perpendicular to v is L(B^ V ) := {u^ v |u e L(B)}. A 
basis of L(Bj^bi ) is given by the vectors {b 2 ^bi , . . . , b nJ _ bl }. 

For an integer k e Z + we use [k] to denote the set {!,...,&}. 



2.2 Lattice Problems 



In this paper we are concerned with the following approximation problems, which 
are parametrized by some 7 > 1. 

7-SVP: Given a lattice basis B, find a non-zero vector v e L(B) such that 
||v|| < 7 Ai(B). 

7-CVP: Given a lattice basis B, and a vector t € R m find a vector v G L(B) 
such that || v - tj| < 7d(t, B). 

We also use the following promise problems, which are parameterized by some 
7 > 0. 

7-BDD: Given a lattice basis B, and a vector t e R m with the promise that 
d(t,L(B)) < 7Ai(B), find a vector v e L(B) such that ||v - t|| = d(t,B). 

7-uSVP: Given a lattice basis B with the promise that A2(B) > 7Ai(B), find a 
non-zero vector v e L(B) such that ||v|| = Ai(B) (this makes sense only for 
7>1)- 

We assume that we have given a 7-SVP oracle, denoted by O. When given a 
set of linearly independent vectors B = {bi, b 2 , . . . , b„} £ Q mxn , 0(B) returns 
an elementary vector v e L(B) which satisfies < ||v|| < 7 Ai(L(B)) (if v is 
not elementary then we can find out the multiple and recover the corresponding 
elementary vector). 

3 Some basic tools 

Given a basis B and an elementary vector v e L(B), we can in polynomial time 
find a new basis of L(B) of the form {v, b 2 , . . . , b n }. To do this we use the 
following lemma from Micciancio [16] (page 7, Lemma 1), which we specialized 
somewhat for our needs. 

Lemma 1. There is a polynomial time algorithm f indbasis(v, B), which, on 
input an elementary vector v o/L(B) and a lattice basis B e Q mx ™ outputs B = 
(b 2 , . . . , b n ) such that L(v, b 2 , . . . , b„) = L(B). 

Lemma 2. Let L(B) be a lattice and v G L(B) be a vector in the lattice. If 
L(B^ V ) is the projected lattice of L(B) perpendicular to v then Ai(Bj_ v ) < 
Ai+i(B), ie [n-l\. 

Proof. Let Vj be the vector of length Aj(B) such that {vi, . . . , v„} are linearly 
independent. A set of such vectors exists [9]. If (vi)j_ v = then (vi>i)j_ v € 
L(B^ V ) and < ||(vj)j_ v || < ||v,||, proving the lemma. If (vi)j_ v 7^ then 
(vi)j_ v € L(Bj_ v ) and < ||(vi)_i_ v || < ||vi||. We argue in a similar way with 
(v 2 )j_ v to prove the lemma for i > 1. □ 

We use the following reduction from due to Lyubashevsky and Miccian- 
cio [15]. 

Theorem 1. For any 7 > 1, there is a polynomial time oracle reduction from 
BDD j_ to uSVP^. 

For completeness, we sketch a proof of Theorem 1 in Appendix A. 



4 Reducing CVP to SVP 



We prove the following theorem: 

Theorem 2. Given a basis B € Q mxn and a vector t £ M™ , the problem j 2 ^/n- 
CVP is Turing reducible to the problem 7-SVP in time poly(n, log 7, max^ log ||bj||). 

In this section we give the algorithm to prove our theorem, and show that 
once it terminates, it satisfies the requirements of the theorem. We will show 
that the algorithm runs in polynomial time in the next section. 

The reduction takes as an input a basis B e Q mx " and a vector t £ M. m . 
Recall that the oracle D takes as input a basis over Q and outputs an elementary 
vector which is a 7-approximation to the shortest vector. The reduction is given 
in Algorithm 1. 



Algorithm 1 CVP(B,t) (input: B £ Q mx " ; t e Q m ) 

1: if n — 1 then 

2: Let bi be the only column of B. 

3: return abi with a € Z such that ||abi — t|| is minimal. 
4: else 

5: zi <- 2^-BDD(B, t) (Solve this with calls to D as in Theorem 1 ) 

6: v<-£)(B) 

7: {b 2 , . . . , b n } <- LLL(f indbasis(v, B)) 

8: Vi€{2,...,n}:(b-)±v-(-bi-bi|v 

9: B ±v ^ {(b 2 )±v, ■ ■ ■ , (X)x v } 
10: t' ± <-t-t| v 
11: z' 2 <-CVP(B ±v ,t Xv ) 

12: Find (o 2 , . . . , o„) € Z™" 1 such that z 2 = ^"=2 a <( b 0-Lv 
13: Find 01 6 Z such that Z2 = aiv + 5^™=2 a *' 3 i is closest to t 
14: return the element of {zi,z 2 } which is closest to t. 
15: end if 



In line 6, we can simulate an oracle for ^-BDD due to Theorem 1, given D. In 
line 7 we run the LLL algorithm on the basis returned by f indbasis; this is an 
easy way to ensure that the representation of the basis does not grow too large 
(cf. the proof of Lemma 5). The optimization problem in line 13 is of course easy 
to solve: for example, we can find a\ e R which minimizes the expression and 
then round a[ to the nearest integer. 

Theorem 3. The approximate CVP-solver (Algorithm 1) outputs a vector z e 
L(B) such that ||z - t|| < 7 2 Vnd(t, B). 

Proof. We prove the theorem by induction on n. For the base case (i.e., n = 1) 
we find the closest vector to t in a single vector basis. This can be done exactly 
by finding the correct multiple of the only basis vector that is closest to t. 



When n > 1, we see that each run of the algorithm finds two candidates Zi 
and z 2 . We show that the shorter of the two is an approximation to the closest 
vector to t in L(B) for which 

||z-t|| < V^ 7 2 d(t,B) (1) 

We divide the proof in two cases, depending on whether d(t, B) < ■ It 
is sufficient to show that in each case one of Zi or z 2 satisfies Equation (1). 

1. If d(t,B) < Al 2 ^ , the promise of ^-BDD is satisfied. Thus, Zi satisfies ||zi — 
t||<d(t,B). 

2. If d(t, B) > we proceed as in Kannan's proof to show that z 2 satisfies 
Equation (1). 

By the induction hypothesis, z' 2 satisfies 

||z' 2 -tl v || 2 <(n-l) 7 4 d 2 (tl v ,B' ±v ) 

At this point, note first that t = t^_ v + 4>v for some <f> e R. Since also 
J2"=2 a i^i = z 2 + TV f° r some 77 € R, we can write 

||z 2 - t|| 2 = || (aiv + z' 2 + nv) - (t' ±v + </>v)|| 2 
= ||(ai+r7-</>)v|| 2 + ||z' 2 -t_ Lv || 2 

Since a\ is chosen such that this expression is minimal we have |ai +77 — <j>\ < |, 
and so 

I| Z2 - tn 2 < nz' 2 - t ±v || 2 + M! < nz 2 - t iv || 2 + 

<(n-l h4 d 2 (t ±v ,L(B ±v )) + 2^M) 
< 7 4 nd 2 (t,B) . 

The second last inequality follows from A 2 (B) < 47 2 d 2 (t,B), which holds in 
this second case. To see the last inequality, note that L(B^ V ) is a projection 
of L(B) and tj_ v is a projection of t in the direction orthogonal to v, and a 
projection cannot increase the length of a vector. 

Thus, in both cases one of Zi and z 2 satisfies the requirements, and so we get 
the result. □ 



5 Analysis of runtime 

In this section, we show that Algorithm 1 runs in polynomial time. Observe 
first that in each recursive call the number of basis vector reduces by 1. Since 
all steps are obviously polynomial, it is enough to show that all the vectors 
generated during the run of the algorithm can be represented in polynomially 



many bits in the input size of the top level of the algorithm. For this, we can 
assume that the original basis vectors B = {bi, . . . , b„} are integer vectors. This 
can be achieved by multiplying them with the product of their denominators. 
This operation does not increase the bit representation by more than a factor 
of log(mn). Assuming that the basis vectors are over integers, a lower bound on 
the input size can be given by M — max{n, log(maxj ||&i||)}. 

Given a basis B = {bi, . . . ,b„}, the Gram-Schmidt orthogonalization of B 
is {bi,...,b„}, where bi = b, Sj=ikj|b- We need the following Lemma 
from [9]. 

Lemma 3. [9] Let B = {bi, . . . , h n } be n linearly independent vectors. Define 
the vectors hi = hi — J2]=a bilbj ■ Then, the representation of any vector hi as 
a vector of quotients of natural numbers takes at most poly(M) bits for M = 
max{n, log(maxi ||bj||)}. 

Lemma 4. Let Vj, i € [n], be the vector v generated in the ith level of the 
recursion in line 6 of Algorithm 1. 

There is a basis xi , . . . , x„ of B such that the vectors Vj are given by the 
Gram-Schmidt orthogonalization of Xi , . . . , x„ . Furthermore, xi , . . . , x„ as well 
as vi, . . . , v„ are polynomially representable in M . 

Proof. We first find lattice vectors xi, . . . ,x„ e L(B) which satisfy 

i-l 

X * = V i + S 3 V 3 

for some Sj € [— |, |], and then show that these vectors satisfy the claim of the 
lemma. 

To see that such vectors exist, let Bj be the basis in the jth level of the 
recursion of Algorithm 1. Then, we note that given a vector in L(Bj) one can 
find a lattice vector in L(Bj_i) at distance at most ^ Vj 2 ~ 1 ' m the direction of 
Vj_i or — Vj_i. We let Xj be the vector obtained by doing such a lifting step 
repeatedly until we have a lattice vector in L(B). 

The vectors vi, . . . ,v„ are exactly the Gram-Schmidt orthogonalization of 
xi , . . . , x„ , because 



and so the vectors Xj must also form a basis of L(B). 
Also, we have for all i e [n]: 

w .< |T)l . + Jbtd! + ... + !^!! 



4 



<E" V 

„2 \2 



A 2 



< n 7 ^A;(B) (From Lemma 2) 



As xi,...,x„ are vectors in the integer lattice B; xi,...,x„ are polynomi- 
ally representable in M (and log 7, but we can assume 7 < 2"). Coupled with 
Lemma 3 this completes the proof. □ 

Lemma 5. All vectors which are generated in a run of Algorithm 1 have a 
representation of size poly(M) for M — max{n, log(maxi ||&j||)}, in case the 
entries are represented as quotients of natural numbers. 

Proof. The vectors which are generated in line 6 at different levels of recursion 
also have representation of size poly(M) by Lemma 3. The basis is LLL re- 
duced and hence it is representable in number of bits which is a fixed polynomial 
in the shortest vector [14] and hence also Vi. 

The remaining vectors are produced by oracles which run in polynomial time 
or are small linear combinations of other vectors. □ 

We now give a proof of Theorem 2. 

Proof. (Theorem 2) Given B E Q rnxn and t e R m we run Algorithm 1. From 
Lemma 3, the algorithm returns a vector z which is a 7 2 v / n-approximation to the 
closest vector. Also, from Lemma 5, all vectors in the algorithm have polynomial 
size representation, and so the algorithm runs in time poly (log 7, M). □ 
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A Solving BDD using a uSVP-oracle 

In this appendix we sketch the reduction from BDD!/ 27 to uSVP 7 from [15] for 
completeness. We will assume that d(t, L(B)) is known - it is shown in [15] how 
to avoid this assumption. 

Proof. (Theorem 1) Let (B,t) be an instance of BDDj_ and let a — d(t,L(B)) < 

X± 2^ ■ For simplicity we assume that we know a (sec [15] for bypassing this). 
Our goal is to find a vector G L(B) such that d(tt, t) = a. We define the new 
basis 

--(?:)■ 

We will show that in B the vector v := [* *] is a 7-uniquc shortest vector. It 

is clear that we can recover t*, the solution to the BDD problem, when given v. 
The length of v is y/2a, and so it is enough to show that all other vectors in 
L(B), which are not a multiple of v have length at least y/2'ya. Let us (for 
the sake of contradiction) assume that there is a vector v 2 of length at most 
||v 2 || < \f2^a which is not a multiple of the vector v above. We can write v 2 as 

v 2 = [ U where u e L(B) and a e Z. Since v 2 is not a multiple of v, it 



must be that u — at* G L(B) is a non-zero lattice vector. Now, using the triangle 
inequality, we get 

||u — at f || < 1 1 u — at 1 1 +a||t-t t || 
= a/ 1 1 v 2 1 1 2 — a 2 a 2 + act 



< \/2a 2 j 2 — a 2 a 2 + act 

< 2aj < Ai(B) , (Maximized when = 7) 
which is a contradiction. □ 



